Poet Auth Reject not working after reject using exec Module

Jorge Pereira jpereira at freeradius.org
Mon Nov 2 13:49:15 CET 2020


Looks like your script is doing something on the database and the next task executing these SQL queries is not affecting anything. Even the problem doesn’t appear to be in FreeRADIUS.

Try.

1. Execute your script with expected parameters. e.g: /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1”:

2. Create a script to perform the exact SQL query. e.g: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority

3. Do the same call as you expect e.g: /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1”:

Always when you have something be called externally, the best way is to isolate the problem. Then, you go to poke the server.

Keep in mind that the “ram_exec” expects to the script return 0 for true and 1 for false.
---
Jorge Pereira
jpereira at freeradius.org




> On 31 Oct 2020, at 04:53, Muhammed Buvaydani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have
> FreeRADIUS Version 3.0.21   and  I am trying to authenticate users using External  Php script , the script is working fine ,
> my problem  it is not insert in radpostauth table after getting reject from the script , this is the debug mode when I get reject user
> (0) Received Access-Request Id 71 from 127.0.0.1:47913 to 127.0.0.1:1812 length 100
> (0)   User-Name = "Aboserifaban"
> (0)   User-Password = "123456"
> (0)   Calling-Station-Id = "4e:f9:5e:77:0c:9a"
> (0)   NAS-Port = 102
> (0)   NAS-IP-Address = 103.200.57.138
> (0)   Framed-Protocol = PPP
> (0)   Framed-IP-Address = 192.168.0.1
> (0)   NAS-Identifier = "nas"
> (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "Aboserifaban", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0) files: users: Matched entry DEFAULT at line 48
> (0) files: EXPAND /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "%{User-Name}" "%{User-Password}" "%{Calling-Station-Id}" "%{NAS-Port-Id}" "%{NAS-IP-Address}" "%{Framed-Protocol}" "%{Framed-IP-Address}"
> (0) files:    --> /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1"
> (0)     [files] = ok
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> Aboserifaban
> (0) sql: SQL-User-Name set to 'Aboserifaban'
> rlm_sql (sql): Reserved connection (0)
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'Aboserifaban' ORDER BY id
> (0) sql: User found in radcheck table
> (0) sql: Conditional check items matched, merging assignment check items
> (0) sql:   Cleartext-Password := "123456"
> (0) sql:   Simultaneous-Use := 1
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'Aboserifaban' ORDER BY id
> rlm_sql (sql): Reserved connection (1)
> rlm_sql (sql): Released connection (1)
> Need 6 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'cloudradius' on Localhost via UNIX socket, server version 5.5.65-MariaDB, protocol version 10
> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'Aboserifaban' ORDER BY priority
> (0) sql: User not found in any groups
> rlm_sql (sql): Released connection (0)
> (0)     [sql] = ok
> (0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {
> (0)     if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)  -> FALSE
> (0)     [pap] = updated
> (0)   } # authorize = updated
> (0) Found Auth-Type = PAP
> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (0)   Auth-Type PAP {
> (0) pap: Login attempt with password
> (0) pap: Comparing with "known good" Cleartext-Password
> (0) pap: User authenticated successfully
> (0)     [pap] = ok
> (0)   } # Auth-Type PAP = ok
> (0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default
> (0)   session {
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> Aboserifaban
> (0) sql: SQL-User-Name set to 'Aboserifaban'
> rlm_sql (sql): Reserved connection (2)
> (0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
> (0) sql:    --> SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
> (0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'Aboserifaban' AND acctstoptime IS NULL
> rlm_sql (sql): Released connection (2)
> (0)     [sql] = ok
> (0)   } # session = ok
> (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
> (0)   post-auth {
> (0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "Aboserifaban" "123456" "4e:f9:5e:77:0c:9a" "" "103.200.57.138" "PPP" "192.168.0.1":
> (0) exec: ERROR: Program returned code (1) and output 'Reply-Message := "Your Account has been expired."'
> (0)     [exec] = reject
> (0)   } # post-auth = reject
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.1 seconds.
> Waking up in 0.7 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 71 from 127.0.0.1:1812 to 127.0.0.1:47913 length 52
> (0)   Reply-Message := "Your Account has been expired."
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 71 with timestamp +3
> Ready to process requests
> 
> 
> as  you see above it rejected the user but it seems the SQL module not running  ,
> this is my configuration in  POST-Auth section in default file
> post-auth {
> 
>  exec
>  sql
> Post-Auth-Type REJECT {
> 
> update reply {
>            Reply-Message = "Rejected: invalid username or password..!"
> }
> 
>                # log failed authentications in SQL, too.
> exec
> sql
> 
> }
> 
> 
> 
> }
> 
> 
> when I stop exec in Post-auth  section and it is working fine and it insert the result in radpostauth table
> Please help me to fix this issue
> Thanks in Advance
> Best Regards
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list